× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. March 2010

Re: AS400 Class *USER and special authority *SECADM

John,

I think we're saying the same thing.

Now-a-days, I wouldn't expect to see anyone but QSECOFR to have *SECADM....

In fact, I kind of doubt *SECADM was ever given to other users.

Charles

On Wed, Mar 24, 2010 at 7:37 PM, John Earl <john.earl@xxxxxxxxxxxxxx> wrote:
Charles,

On Mar 24, 2010, at 5:32 AM, Charles Wilt wrote:

You understanding is incorrect.

Example, department managers may be
able to modify their own people.  Note that I don't believe this type
of usage is common now-a-days with SOX ect.

You're right, this is getting more common, but I think it is
misguided.  If I wanted a Dept Head to manage their own people I would
do it with an adopted authority program (that logged extensively)
rather than make multiple people *SECADM.  In order to make the
DEPTHEAD=*SECADM method work you would have to give the Dept Head
*CHANGE or *ALL authority to all of those profiles which would provide
them with the ability to masquerade as those users or to create new,
rogue users.

Also note that even if I don't have *ALLOBJ special authority, if you
give me *USE authority to any profile that has it(or *USE to any
profile that has *USE to any other profile, etc. etc. ), I can assume
that profile's identity and exercise *ALLOBJ.  I just happen to think
giving any user *USE (or more) authority to any other users profile
exposes an unwarranted level of risk.  IMHO, use adopted authority
instead.


jte

Also note that a user with *SECADM cannot give another user special
authorities, such as *ALLOBJ, that the *SECADM user doesn't have
themselves.

--
John Earl
President and CEO
Patrick Townsend Security Solutions
"The Encryption Company"

Olympia, WA | www.patownsend.com

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.



As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.